Use "setifempty" instead of "set" in .htaccess

The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area. Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top. See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 Signed-off-by: zertrin <zertrin@gmail.com>
zertrin · Jan 20, 2020 · aefa141 · aefa141
1 parent 434fd43
commit aefa141
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/.htaccess b/.htaccess
@@ -11,13 +11,13 @@
 
   <IfModule mod_env.c>
     # Add security and privacy related headers
-    Header always set Referrer-Policy "no-referrer"
-    Header always set X-Content-Type-Options "nosniff"
-    Header always set X-Download-Options "noopen"
-    Header always set X-Frame-Options "SAMEORIGIN"
-    Header always set X-Permitted-Cross-Domain-Policies "none"
-    Header always set X-Robots-Tag "none"
-    Header always set X-XSS-Protection "1; mode=block"
+    Header always setifempty Referrer-Policy "no-referrer"
+    Header always setifempty X-Content-Type-Options "nosniff"
+    Header always setifempty X-Download-Options "noopen"
+    Header always setifempty X-Frame-Options "SAMEORIGIN"
+    Header always setifempty X-Permitted-Cross-Domain-Policies "none"
+    Header always setifempty X-Robots-Tag "none"
+    Header always setifempty X-XSS-Protection "1; mode=block"
     SetEnv modHeadersAvailable true
   </IfModule>